- Related Stories
-
Microsoft's borrowed code may pose risk
March 14, 2002 -
Flaw leaves Linux computers vulnerable
March 11, 2002
The buffer overflow vulnerability exists in the open-source "zlib" component, Secunia said in an alert published Thursday. Using a specially crafted file, an attacker could take control over a computer or crash applications that use zlib, the security monitoring company said.
The process is used in a large number of open-source and proprietary software applications to compress and decompress data, and it ships with many Linux and BSD distributions. Zlib is described as "something of a de facto standard" by Wikipedia, the community-based online encyclopedia.
"Just about everything uses zlib, from Xbox games consoles and mobile phones to OpenSSH, so the potential impact is very high," Tavis Ormandy of the Gentoo Linux security audit team wrote in an e-mail interview. Ormandy is credited with discovering the vulnerability.
The flaw has been reported in version 1.2.2 of zlib, Secunia said, and earlier versions may also be affected.
Secunia rates the problem "highly critical," one notch below its highest risk rating, because there is no known exploit. The French Security Incident Response Team deems it "critical," its most serious rating.
Assessing the impact
The security vulnerability may affect many applications, but the potential impact is not simple to calculate, said Michael Sutton, a lab director at security company iDefense. "The exploitability may also depend on how the library was implemented, so we can't assume that all applications using zlib are immediately vulnerable," he said.
It won't be an easy task to exploit the vulnerability to run code on a victim's device or computer, Ormandy said. However, it is not hard to make applications crash, he noted. "We have some test cases that trigger the bug via images or browsers that use zlib," Ormandy said.
An update to zlib, version 1.2.3, is being prepared and tested for release to eliminate this vulnerability, Mark Adler, co-creator of the compression library, said in an e-mail to CNET News.com.
Fixes are already available for several Linux releases, including Suse, Red Hat, Gentoo, Ubuntu, Mandriva and Debian, according to the Secunia Web site. An update is also available for FreeBSD, it said.
Microsoft is still looking into the issue, a company representative said. "Initial investigation has revealed that currently supported versions of Microsoft Windows are not at risk from this vulnerability," the representative said. Microsoft has used zlib in programs such as Office, MSN Messenger and Internet Explorer, according to a list of applications that use the component posted by the zlib developers group on its Web site.
This is not the first flaw in zlib. Last year, a denial of service vulnerability was reported in the compression component, and three years ago, a problem in zlib memory-management functions raised concerns for remote attacks.
See more CNET content tagged:
Gentoo, flaw, vulnerability, open source, risk
vindicated once again. The problem was identified
by a third-party (not the author), fixed, and
propagated to open-source operating system
distribution maintainers in less than a day. One
need only update a single library and all is
fixed.
I'm a little confused as to why we don't see any
patches/updates from Microsoft yet, however.
Their software uses zlib all over. It's in .Net,
IE, Office, Windows Explorer, all over. Perhaps
it's statically linked (requiring a rebuild of
all those things).
It should be pointed out, however, that if the
same flaw were in a proprietary product
(Microsoft or otherwise), there would be
absolutely no chance that the flaw would be found
by a third party without an exploit first.
There's only tepid incentive to perform code
review of this sort, and fixing the problem
before it's detected by an end-user, particularly
if the fix is non-trivial, doesn't make economic
sense, particularly if you don't bear any
liability for issues that result.
It's not surprising that software has an issue.
People write it. People make mistakes. In this
case, other people were able to double-check the
author's work and fix it, and they did so very
quickly.
Ah, I know... the author must be a covert operative for Microsoft. It's common knowledge that MS is so afraid of other OS's that they'll use any tactic to discredit them. At least that's the gist of what the EU claims.
- Would not be found...
- by Jim Harmon July 10, 2005 4:02 PM PDT
- > It should be pointed out, however, that if the
- Like this Reply to this comment
-
(4 Comments)> same flaw were in a proprietary product
> (Microsoft or otherwise), there would be
> absolutely no chance that the flaw would be
> found by a third party without an exploit
> first.
If an exploit is never used, can it be called an exploit? The point being... when the source code IS "open", it invites everyone to look for exploits. Not everyone will be friendly enough to report it to the good guys first.
If my front door is unlocked, I sure as heck don't want to post sign on the door telling anyone who walks by about it... and then rely on my neighbors to come along and lock it for me.